Gurnett has released a software. He said the software helped him discover the data decryption key required for the infected Windows XP computer in the lab. The software has not been tested on Windows XP in a wide range of applications, and even if the software is valid, there are still limitations. In the last week of the outbreak of WCry virus process, Windows XP system is not affected by the hardest hit, so the value of this recovery technology is limited.
He named the software Wannakey. (Download: click here ) he said: ” This software only been tested under Windows XP and Windows XP is known only effective if you want to use the software, the computer can not been restarted after being infected. in addition, you also need some luck, the software may not be effective in all cases. ”
Matt Suiche, founder and researcher at Comae Technologies, reported that Gurnett’s decryption tool was ineffective.
The WCry extortion virus, also known as WannaCry, encrypts all the data on the computer after infecting the computer, and the hacker asks the victim to pay a ransom of $300 to $600 to get the key to recover the data. The blackmail software uses the integrated Microsoft Password API (Application Program Interface) in Windows to handle multiple functions, including the encryption and decryption keys for generating files. After creating and getting the key, in most versions of Windows, the API clears the key.
However, the limitations of Windows XP will prevent the API from clearing the key. Therefore, the main sequence used to generate the WCry key may remain in memory until the computer shuts down. WannaKey can scan Windows XP system memory, extract the relevant information.
“If you are lucky enough (that is, the associated memory blocks have not been reallocated or cleared), these main sequences may still reside in memory,” he said.
He said on Twitter: “I finished the decryption process completely and I can confirm that the key can be recovered from XP on this computer.” He provided a screenshot of the computer in Twitter.
wanakiwi: Automated wanadecrypt with key recovery if lucky